public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb
@ 2021-03-17 12:14 zeccav at gmail dot com
2021-03-17 13:18 ` [Bug ada/99624] " marxin at gcc dot gnu.org
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: zeccav at gmail dot com @ 2021-03-17 12:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99624
Bug ID: 99624
Summary: Address sanitizer detects heap-buffer-overflow in
namet.adb
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: ada
Assignee: unassigned at gcc dot gnu.org
Reporter: zeccav at gmail dot com
Target Milestone: ---
While building the ada compiler the address sanitizer detecst an
heap-buffer-overflow in namet.adb line 157:
Index : constant Int := Name_Entries.Table (Id).Name_Chars_Index;
because Id=-399990000
make[7]: Entering directory '/home/vitti/gcc-150321-ada-address/gcc/ada/rts'
/home/vitti/gcc-150321-ada-address/./gcc/xgcc
-B/home/vitti/gcc-150321-ada-address/./gcc/
-B/home/vitti/local/gcc-150321-ada-address/x86_64-pc-linux-gnu/bin/
-B/home/vitti/local/gcc-150321-ada-address/x86_64-pc-linux-gnu/lib/ -isystem
/home/vitti/local/gcc-150321-ada-address/x86_64-pc-linux-gnu/include -isystem
/home/vitti/local/gcc-150321-ada-address/x86_64-pc-linux-gnu/sys-include -c
-g -O2 -fpic -W -Wall -gnatpg -nostdinc a-assert.adb -o a-assert.o
=================================================================
==1168930==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6320000007e0 at pc 0x00000093e734 bp 0x7ffe21e0f6b0 sp 0x7ffe21e0f6a8
READ of size 4 at 0x6320000007e0 thread T0
#0 0x93e733 in namet__append__5 ../../gcc-150321/gcc/ada/namet.adb:157
#1 0x93f260 in namet__append_decoded ../../gcc-150321/gcc/ada/namet.adb:177
#2 0x942c2c in namet__get_decoded_name_string
../../gcc-150321/gcc/ada/namet.adb:787
#3 0xe1769e in sem_util__get_default_external_name
../../gcc-150321/gcc/ada/sem_util.adb:10490
#4 0x8adfd5 in freeze__freeze_entity
../../gcc-150321/gcc/ada/freeze.adb:5493
#5 0x8ac9a5 in freeze__freeze_before
../../gcc-150321/gcc/ada/freeze.adb:2126
#6 0xbb087c in sem_ch3__analyze_object_declaration
../../gcc-150321/gcc/ada/sem_ch3.adb:4152
#7 0xaa2e76 in sem__analyze ../../gcc-150321/gcc/ada/sem.adb:351
#8 0xbaadf0 in sem_ch3__analyze_declarations
../../gcc-150321/gcc/ada/sem_ch3.adb:2655
#9 0xc63de4 in sem_ch7__analyze_package_specification
../../gcc-150321/gcc/ada/sem_ch7.adb:1582
#10 0xaa3092 in sem__analyze ../../gcc-150321/gcc/ada/sem.adb:459
#11 0xc638b0 in sem_ch7__analyze_package_declaration
../../gcc-150321/gcc/ada/sem_ch7.adb:1210
#12 0xaa3065 in sem__analyze ../../gcc-150321/gcc/ada/sem.adb:450
#13 0xb0386d in sem_ch10__analyze_compilation_unit
../../gcc-150321/gcc/ada/sem_ch10.adb:913
#14 0xaa2b1f in sem__analyze ../../gcc-150321/gcc/ada/sem.adb:180
#15 0xaa5125 in sem__semantics__do_analyze
../../gcc-150321/gcc/ada/sem.adb:1421
#16 0xaa5d48 in sem__semantics ../../gcc-150321/gcc/ada/sem.adb:1615
#17 0xb0376a in sem_ch10__analyze_compilation_unit
../../gcc-150321/gcc/ada/sem_ch10.adb:878
#18 0xaa2b1f in sem__analyze ../../gcc-150321/gcc/ada/sem.adb:180
#19 0xaa5125 in sem__semantics__do_analyze
../../gcc-150321/gcc/ada/sem.adb:1421
#20 0xaa5d48 in sem__semantics ../../gcc-150321/gcc/ada/sem.adb:1615
#21 0xb0957b in sem_ch10__analyze_with_clause
../../gcc-150321/gcc/ada/sem_ch10.adb:2634
#22 0xaa338d in sem__analyze ../../gcc-150321/gcc/ada/sem.adb:613
#23 0xb04fdd in sem_ch10__analyze_context
../../gcc-150321/gcc/ada/sem_ch10.adb:1433
#24 0xb03268 in sem_ch10__analyze_compilation_unit
../../gcc-150321/gcc/ada/sem_ch10.adb:700
#25 0xaa2b1f in sem__analyze ../../gcc-150321/gcc/ada/sem.adb:180
#26 0xaa5125 in sem__semantics__do_analyze
../../gcc-150321/gcc/ada/sem.adb:1421
#27 0xaa5d48 in sem__semantics ../../gcc-150321/gcc/ada/sem.adb:1615
#28 0xb032b7 in sem_ch10__analyze_compilation_unit
../../gcc-150321/gcc/ada/sem_ch10.adb:719
#29 0xaa2b1f in sem__analyze ../../gcc-150321/gcc/ada/sem.adb:180
#30 0xaa5125 in sem__semantics__do_analyze
../../gcc-150321/gcc/ada/sem.adb:1421
#31 0xaa5d48 in sem__semantics ../../gcc-150321/gcc/ada/sem.adb:1615
#32 0x8d0e5f in _ada_frontend ../../gcc-150321/gcc/ada/frontend.adb:422
#33 0xefdd8c in _ada_gnat1drv ../../gcc-150321/gcc/ada/gnat1drv.adb:1237
#34 0x496d83 in gnat_parse_file
../../gcc-150321/gcc/ada/gcc-interface/misc.c:118
#35 0x2182d2d in compile_file ../../gcc-150321/gcc/toplev.c:457
#36 0x218bfe8 in do_compile ../../gcc-150321/gcc/toplev.c:2201
#37 0x218c84b in toplev::main(int, char**)
../../gcc-150321/gcc/toplev.c:2340
#38 0x4c08b33 in main ../../gcc-150321/gcc/main.c:39
#39 0x1468000181e1 in __libc_start_main (/usr/lib64/libc.so.6+0x281e1)
#40 0x41c48d in _start
(/home/vitti/gcc-150321-ada-address/gcc/gnat1+0x41c48d)
0x6320000007e0 is located 32 bytes to the left of 96000-byte region
[0x632000000800,0x632000017f00)
allocated by thread T0 here:
#0 0x146800786a8f in __interceptor_malloc
../../../../gcc-150221/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xa50761 in __gnat_malloc
../../gcc-150321/gcc/ada/libgnat/s-memory.adb:81
#2 0x93ce5b in namet__name_entries__reallocate
../../gcc-150321/gcc/ada/table.adb:208
#3 0x93ccbd in namet__name_entries__init
../../gcc-150321/gcc/ada/table.adb:147
#4 0x947bc5 in namet___elabs ../../gcc-150321/gcc/ada/table.adb:393
#5 0xf0204d in adainit ada/b_gnat1.adb:334
#6 0x496d7e in gnat_parse_file
../../gcc-150321/gcc/ada/gcc-interface/misc.c:115
#7 0x2182d2d in compile_file ../../gcc-150321/gcc/toplev.c:457
#8 0x218bfe8 in do_compile ../../gcc-150321/gcc/toplev.c:2201
#9 0x218c84b in toplev::main(int, char**)
../../gcc-150321/gcc/toplev.c:2340
#10 0x4c08b33 in main ../../gcc-150321/gcc/main.c:39
#11 0x1468000181e1 in __libc_start_main (/usr/lib64/libc.so.6+0x281e1)
SUMMARY: AddressSanitizer: heap-buffer-overflow
../../gcc-150321/gcc/ada/namet.adb:157 in namet__append__5
Shadow bytes around the buggy address:
0x0c647fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c647fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c647fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1168930==ABORTING
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug ada/99624] Address sanitizer detects heap-buffer-overflow in namet.adb
2021-03-17 12:14 [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb zeccav at gmail dot com
@ 2021-03-17 13:18 ` marxin at gcc dot gnu.org
2021-03-17 14:33 ` ebotcazou at gcc dot gnu.org
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-03-17 13:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99624
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |86656
CC| |ebotcazou at gcc dot gnu.org,
| |marxin at gcc dot gnu.org
Ever confirmed|0 |1
Last reconfirmed| |2021-03-17
Status|UNCONFIRMED |NEW
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86656
[Bug 86656] [meta-bug] Issues found with -fsanitize=address
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug ada/99624] Address sanitizer detects heap-buffer-overflow in namet.adb
2021-03-17 12:14 [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb zeccav at gmail dot com
2021-03-17 13:18 ` [Bug ada/99624] " marxin at gcc dot gnu.org
@ 2021-03-17 14:33 ` ebotcazou at gcc dot gnu.org
2021-03-17 15:12 ` zeccav at gmail dot com
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: ebotcazou at gcc dot gnu.org @ 2021-03-17 14:33 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99624
Eric Botcazou <ebotcazou at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |WAITING
--- Comment #1 from Eric Botcazou <ebotcazou at gcc dot gnu.org> ---
> While building the ada compiler the address sanitizer detecst an
> heap-buffer-overflow in namet.adb line 157:
>
> Index : constant Int := Name_Entries.Table (Id).Name_Chars_Index;
>
> because Id=-399990000
The table is declared like this though:
package Name_Entries is new Table.Table (
Table_Component_Type => Name_Entry,
Table_Index_Type => Valid_Name_Id'Base,
Table_Low_Bound => First_Name_Id,
Table_Initial => Alloc.Names_Initial,
Table_Increment => Alloc.Names_Increment,
Table_Name => "Name_Entries");
with:
First_Name_Id : constant Name_Id := Names_Low_Bound + 2;
-- Subscript of first entry in names table
subtype Valid_Name_Id is Name_Id range First_Name_Id .. Name_Id'Last;
-- All but No_Name and Error_Name
and:
Names_Low_Bound : constant := -399999999;
so Id = -399990000 is well within the allowed range (9997 0-based index).
Are you sure that Id is not equal to Names_Low_Bound, which would be the -2
0-based index and, therefore, -32 bytes since the size of Name_Entry is 16?
On the other hand, this would mean that:
pragma Assert (Is_Valid_Name (Id));
would have triggered because the compiler is supposed to be configured with
assertions enabled on the mainline, so I'm quite at a loss here.
It looks like the address sanitizer is miscompiling the Ada compiler?
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug ada/99624] Address sanitizer detects heap-buffer-overflow in namet.adb
2021-03-17 12:14 [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb zeccav at gmail dot com
2021-03-17 13:18 ` [Bug ada/99624] " marxin at gcc dot gnu.org
2021-03-17 14:33 ` ebotcazou at gcc dot gnu.org
@ 2021-03-17 15:12 ` zeccav at gmail dot com
2021-03-17 16:36 ` ebotcazou at gcc dot gnu.org
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: zeccav at gmail dot com @ 2021-03-17 15:12 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99624
--- Comment #2 from Vittorio Zecca <zeccav at gmail dot com> ---
Yes, probably gcc -fsanitize=address is miscompiling the Ada compiler.
I had to take out the -gnata option to disable pragma assert that was failing.
So I do not know if this is a genuine compiler bug or it is due to
miscompilation.
The Ada compiler compiled with the undefined behavior sanitizer
compiles and works fine
with a successful run of the testsuite.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug ada/99624] Address sanitizer detects heap-buffer-overflow in namet.adb
2021-03-17 12:14 [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb zeccav at gmail dot com
` (2 preceding siblings ...)
2021-03-17 15:12 ` zeccav at gmail dot com
@ 2021-03-17 16:36 ` ebotcazou at gcc dot gnu.org
2021-03-17 16:42 ` zeccav at gmail dot com
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: ebotcazou at gcc dot gnu.org @ 2021-03-17 16:36 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99624
Eric Botcazou <ebotcazou at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|WAITING |SUSPENDED
--- Comment #3 from Eric Botcazou <ebotcazou at gcc dot gnu.org> ---
> Yes, probably gcc -fsanitize=address is miscompiling the Ada compiler.
> I had to take out the -gnata option to disable pragma assert that was
> failing.
OK, thanks for the confirmation.
> So I do not know if this is a genuine compiler bug or it is due to
> miscompilation.
Most probably -fsanitize=address does not work correctly on Ada code.
> The Ada compiler compiled with the undefined behavior sanitizer
> compiles and works fine with a successful run of the testsuite.
Interesting data point, thanks.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug ada/99624] Address sanitizer detects heap-buffer-overflow in namet.adb
2021-03-17 12:14 [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb zeccav at gmail dot com
` (3 preceding siblings ...)
2021-03-17 16:36 ` ebotcazou at gcc dot gnu.org
@ 2021-03-17 16:42 ` zeccav at gmail dot com
2021-03-17 16:47 ` ebotcazou at gcc dot gnu.org
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: zeccav at gmail dot com @ 2021-03-17 16:42 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99624
--- Comment #4 from Vittorio Zecca <zeccav at gmail dot com> ---
I added
pragma Assert (Id in Name_Entries.Table'Range);
at namet.adb:156, but then I get at compile time
namet.adb:156:25: warning: condition can only be False if invalid values
present
and the build stops.
I am very very rusty on Ada, what should I do to check that Id is good?
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug ada/99624] Address sanitizer detects heap-buffer-overflow in namet.adb
2021-03-17 12:14 [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb zeccav at gmail dot com
` (4 preceding siblings ...)
2021-03-17 16:42 ` zeccav at gmail dot com
@ 2021-03-17 16:47 ` ebotcazou at gcc dot gnu.org
2021-03-18 7:56 ` zeccav at gmail dot com
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: ebotcazou at gcc dot gnu.org @ 2021-03-17 16:47 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99624
--- Comment #5 from Eric Botcazou <ebotcazou at gcc dot gnu.org> ---
> I am very very rusty on Ada, what should I do to check that Id is good?
Probably put back the original assert on line 155.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug ada/99624] Address sanitizer detects heap-buffer-overflow in namet.adb
2021-03-17 12:14 [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb zeccav at gmail dot com
` (5 preceding siblings ...)
2021-03-17 16:47 ` ebotcazou at gcc dot gnu.org
@ 2021-03-18 7:56 ` zeccav at gmail dot com
2021-03-18 8:33 ` ebotcazou at gcc dot gnu.org
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: zeccav at gmail dot com @ 2021-03-18 7:56 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99624
--- Comment #6 from Vittorio Zecca <zeccav at gmail dot com> ---
It is not that easy, unfortunately.
If I compile the build with -gnata, thereby arming the pragma assert,
the build fails.
So I had to build without -gnata.
Now trying to build Ada with gcc 9.1.0
Earlier versions do not work.
Did you try building Ada with address sanitation?
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug ada/99624] Address sanitizer detects heap-buffer-overflow in namet.adb
2021-03-17 12:14 [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb zeccav at gmail dot com
` (6 preceding siblings ...)
2021-03-18 7:56 ` zeccav at gmail dot com
@ 2021-03-18 8:33 ` ebotcazou at gcc dot gnu.org
2021-03-18 8:40 ` zeccav at gmail dot com
2021-03-19 9:09 ` zeccav at gmail dot com
9 siblings, 0 replies; 11+ messages in thread
From: ebotcazou at gcc dot gnu.org @ 2021-03-18 8:33 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99624
--- Comment #7 from Eric Botcazou <ebotcazou at gcc dot gnu.org> ---
> If I compile the build with -gnata, thereby arming the pragma assert,
> the build fails.
Then this proves that the sanitizer does not work since the assertion does not
trigger in a regular build, so there is no need to dig deeper.
> Did you try building Ada with address sanitation?
No, I don't think so.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug ada/99624] Address sanitizer detects heap-buffer-overflow in namet.adb
2021-03-17 12:14 [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb zeccav at gmail dot com
` (7 preceding siblings ...)
2021-03-18 8:33 ` ebotcazou at gcc dot gnu.org
@ 2021-03-18 8:40 ` zeccav at gmail dot com
2021-03-19 9:09 ` zeccav at gmail dot com
9 siblings, 0 replies; 11+ messages in thread
From: zeccav at gmail dot com @ 2021-03-18 8:40 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99624
--- Comment #8 from Vittorio Zecca <zeccav at gmail dot com> ---
Address sanitizer of Version 11.0.1 current trunk miscompiles the Ada
compiler, maybe a previous version would work.
Undefined behavior sanitizer works.
I am now trying to build the Ada compiler with gcc 9.1.0.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug ada/99624] Address sanitizer detects heap-buffer-overflow in namet.adb
2021-03-17 12:14 [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb zeccav at gmail dot com
` (8 preceding siblings ...)
2021-03-18 8:40 ` zeccav at gmail dot com
@ 2021-03-19 9:09 ` zeccav at gmail dot com
9 siblings, 0 replies; 11+ messages in thread
From: zeccav at gmail dot com @ 2021-03-19 9:09 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99624
Vittorio Zecca <zeccav at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|SUSPENDED |RESOLVED
Resolution|--- |INVALID
--- Comment #9 from Vittorio Zecca <zeccav at gmail dot com> ---
I believe this is invalid issue, the real issue is that gcc miscompiles
the Ada compiler with the option -fsanitize=address.
I am opening a new issue with the GNAT BUG DETECTED message.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-03-19 9:09 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-17 12:14 [Bug ada/99624] New: Address sanitizer detects heap-buffer-overflow in namet.adb zeccav at gmail dot com
2021-03-17 13:18 ` [Bug ada/99624] " marxin at gcc dot gnu.org
2021-03-17 14:33 ` ebotcazou at gcc dot gnu.org
2021-03-17 15:12 ` zeccav at gmail dot com
2021-03-17 16:36 ` ebotcazou at gcc dot gnu.org
2021-03-17 16:42 ` zeccav at gmail dot com
2021-03-17 16:47 ` ebotcazou at gcc dot gnu.org
2021-03-18 7:56 ` zeccav at gmail dot com
2021-03-18 8:33 ` ebotcazou at gcc dot gnu.org
2021-03-18 8:40 ` zeccav at gmail dot com
2021-03-19 9:09 ` zeccav at gmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).